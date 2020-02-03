Every new week apparently brings with it a disturbing discovery of unprotected and exposed personal data on the internet. Different companies – spread across industries as varied as pornography, cannabis and medical records – mess up in ways that are difficult to dissect, all with the same victim: your privacy.

Although the scale and severity may vary, a single theme often unites any newsworthy incident: an unsecured Amazon S3 bucket with customer, medical, or financial information that has been omitted for anyone with the right know-how to drive.

The question why this continues to happen is an important question that unfortunately will not disappear quickly.

You might be wondering what an Amazon S3 bucket is exactly. The short and simplified answer is that it is a virtual storage unit that some companies pay for. But more about that later.

Your next question is probably clearer: is this all Amazon’s fault? The huge company certainly has some blame in the general erosion of our privacy. But the reason that all your personal details have been uncovered in the past, and likely to be in the future, is much more complicated.

Unfortunately, this means that it is also harder to prevent.

Exposed

All too often, when security researchers or hackers find personal information online, it is in an unprotected Amazon S3 bucket. We see this time and time again, often with extremely disturbing results.

Hundreds of millions of Facebook user records remained visible. Almost eight hundred thousand applications for birth certificate copies are ripe for the taking. Tens of thousands of private data from cannabis users almost beg to be stolen. Such incidents – and there are many more – are all connected by one cloud computing platform: Amazon Web Services.

What is going on here? Do customers simply misuse the product, or is there a form error that makes unintended exposure of data inevitable?

To answer that question, I spoke with a number of security experts who were familiar with S3 buckets and cyber crime. I have also repeatedly contacted Amazon for an on-the-record statement. I wanted to offer the company the opportunity to explain, in its own words, why its services are the connecting factor in losing so much privacy.

The company declined to comment.

I have also contacted numerous companies that have messed up the details of their own customers. From the perspective of an Amazon S3 customer, I hoped to understand why this will continue to happen. Perhaps not surprisingly, no one responded to my requests.

Fortunately, for anyone trying to understand the sometimes confusing world of incorrectly configured buckets, safety experts are happy to share their expertise.

Amazon S3 buckets

To begin with, it is worth understanding what a “bucket” is in this context. Perhaps the easiest way to think of it as a “folder” on a PC. In other words, it is a way for AWS customers to organize the files for which they pay Amazon to save.

“S3 buckets are a great way to host content,” said Dan Tentler, executive founder of the security company Phobos Group, via email. “You will often find stores that use AWS to do things such as saving logs, storing uploaded user content, exporting huge data processing clusters, all kinds of things! For example – every file you’ve ever uploaded to Slack is in an S3 bucket ! “

Some buckets – which contain, for example, a company database with e-mails from customers and telephone numbers – must be set to private by administrators. Other buckets contain public information and are intentionally made public. This makes sense.

It is when the two get confused that problems arise.

View those buckets.

Image: amazon

“At the end of the day, it is easy to classify these types of accidents into two piles: people who worry and people who don’t,” wrote Tentler. “In almost every case, it’s the people who don’t care who are responsible for this kind of breach because they didn’t take the 5 minutes to read about the S3 security settings and used the bucket correctly for setting.”

It is important that Amazon protects standard S3 buckets. In other words, to make a bucket publicly accessible to any old hacker or security investigator who knows where to look – as was the case with the nearly 800,000 copies of birth certificate applications listed above – someone must actively mess up. Or, as Tentler put it, don’t care.

Maybe it’s hard to call some of your customers idiots?

Although human error capacity is unlimited, this S3 bucket error can occur in three different ways: for example, an AWS customer can take sensitive data and accidentally place it in a publicly-set bucket. Or, more likely, the same AWS customer can accidentally change the setting of an entire bucket to public. Another, less charitable statement is that an administrator temporarily changes the setting of a private bucket to public as a one-off shortcut for sharing data and then forgets to switch it back.

While in all three cases the fault lies with the customer, the first two suggest that Amazon does not do everything to make it explicitly and immediately clear to an administrator that a bucket is publicly accessible.

And yet…

Check the image above. It shows from the end of 2017 what the back of an S3 console looks like. Do you notice something? In particular, there is a full ‘Access’ column that tells an administrator whether or not a bucket is public.

It’s pretty hard to miss.

As mentioned earlier, I contacted Amazon in an attempt to determine why it thinks this mistake is always being made, but I received no response on the spot.

Maybe it’s hard to call some of your customers idiots?

Set to fail

In some ways, Amazon Web Services is the victim of its own success.

According to Gartner, a technology consulting firm, in 2018, Amazon captured 47.8 percent of the total “infrastructure as a service” market that includes AWS. In other words, Amazon is popular – both with website administrators who know how to properly protect buckets and those who don’t.

To be clear: it is not only the products of Amazon Web Services that are sometimes incorrectly configured. Last April, we heard of a likely incorrectly configured Microsoft cloud server that uncovered the personal information of 80 million households. Oops.

“The use of ‘the cloud’ is a double-edged sword,” wrote Tentler. “On the one hand it has become trivial to perform large-scale operations, host terabytes of data or implement new sites and applications – on the other hand, because it is so simple, the entry threshold that used to be ‘you’ must be at least being so long to drive “has disappeared – and literally everyone can do it.”

If administrators know nothing about correctly configuring an S3 bucket and they don’t take the time to learn, they endanger everyone’s data.

Victor Gevers, a security researcher working with the non-profit GDI Foundation to find and disclose security leaks, has agreed with Tentler. He first emphasized via Twitter direct messages that S3 buckets are private by default, but then made an analogy that is worth teasing.

Putting the blame on Amazon customers alone is a bit of a way out.

“So if files are publicly accessible, this is done by the customer,” he wrote. “Can you blame a car company for causing drivers to crash?”

But what if the car has a defective design?

UpGuard, a company that bills itself as “(helping) companies in managing cyber security risks,” alerts companies when they have left data on the internet. Over the years, UpGuard researchers have discovered millions of private records that have been exposed to incorrectly configured S3 buckets. And, as the company’s vice president of marketing, Kaushik Sen, wrote in a blog post from December 2019, it’s a bit of a cop to just blame it on Amazon customers.

“Our opinion is that AWS has made it far too easy for S3 users to incorrectly configure buckets to make them fully publicly accessible via the internet,” he wrote. “It is up to AWS to make better security solutions as standard.”

Chris Vickery, an UpGuard risk analyst, added by email that: “It usually comes down to the rule of thumb that” if it can be configured incorrectly, some users will configure it incorrectly. “

Vickery shared with Mashable a specific example from Amazon that put its customers in trouble.

“Many people assumed (the ‘Global Authenticated Users’) optional access setting opens a storage repository” globally “within their organization, but still does not allow the general public to download items into it,” he explained. “However, Amazon considers Global Authenticated Users to be anyone in the world who is logged into Amazon Web Services (AWS). End users can arguably be justified not to consider this result, because it stunns me that such an institution would in the first place be an option be included. “

Unfortunately, at least for the moment, all steps Amazon is taking to provide clarity do not seem sufficient to stop a flood of incorrectly configured buckets. And so, expect you to keep reading the accounts of your personal information so that it remains visible to criminals and security investigators on the internet.

Is technology not great?

